I'm trying to figure out snort and am running the default rules (snort.conf) that came with the tarball, but snort is logging all of my own computer's port usage (I'm a lone computer running on @Home network) and my broadcast address. I don't want it to log my own computer's port usage, as well as traffic from my broadcast address. How do get snort not to log those? Also, if I have portsentry, do I really need snort?

Thanks,
orangganjil
:D

Portsentry is 100% worthless for any conceivable purpose other than hanging a sign on your box saying "please r00t me!". I wrote a nice little rant a few months back detailing what a piece of useless turd portsentry is. Ditch it, it's worthless, and can even be counterproductive in some cases.

Snort can be pretty useful. I mainly just run it with Debian's default Snort configuration, which doesn't cause many false alarms. I haven't dug too much into the configuration file syntax, but it sounds like maybe Snort is binding to your loopback interface instead of, or in addition to, your external network interface. Check that. Also, post some examples of messages you're getting.

Thanks. I reconfigured it to pass my broadcast address. It works great now. So you think portsentry sucks? I've got iptables and snort running. Do I really need to run portsentry?

Thanks,
orangganjil

If you have a firewall up and you're running Snort, definitely, definitely ditch Portsentry. Portsentry has two major functions: Detection, where it's completely outclassed by Snort in every way, and Retaliation, which is generally a bad idea to begin with and usually does much more harm than good. There are many, many things wrong with Portsentry. I wrote a delightful rant about it once, but I can't find it now. I'm sad.